MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DanaBot


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645
SHA3-384 hash: 2cfbe9c3470762c2f25a6903924e560f67f2a2774009541a438b2484203e061b7cd417257e22bac762013cc1a0954dc8
SHA1 hash: f897f0ece493b818397fc8f0c6f9e6201982f9ce
MD5 hash: 186ec54b52e2ca24990f4e6cb5f4c86d
humanhash: pluto-kitten-golf-magnesium
File name:186ec54b52e2ca24990f4e6cb5f4c86d
Download: download sample
Signature DanaBot
Create hunting rule
File size:1'255'424 bytes
First seen:2022-03-01 19:45:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 26b4d512596063f87f095ddd2779dc70 (2 x ArkeiStealer, 1 x Smoke Loader, 1 x DanaBot)
ssdeep 24576:7ADt/dByI01T/fslLidpxa0MePKE7ffkxyn/p8ou6pu:7S+T8VqxkE7ffkzoVu
TLSH T1A6451240B6A0D03EE0B751F4797A93ACA22D7DB16B3056CF52D62ADE56742E0ECB1307
File icon (PE):PE icon
dhash icon 25ac1378399b9b91 (28 x Smoke Loader, 24 x Amadey, 21 x RedLineStealer)
Reporter zbetcheckin
Tags:32 DanaBot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
468
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/245987/
Detection(s):
Win.Dropper.Generickdz-9939781-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Creating a window
Launching a process
Sending an HTTP GET request
Creating a file in the %temp% directory
Сreating synchronization primitives
Unauthorized injection to a system process
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7799/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/621e77ffdfdfa8501c72e801/reports/fb75aeb1-b06b-48c3-9520-843da88fe55b/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DanaBot
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/598690a9-620b-456c-b12c-7ea7e20ab179
Result
Threat name:
DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/948563
Signature
Antivirus detection for URL or domain
Delayed program exit found
Machine Learning detection for sample
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 581040 Sample: 75wDmbgzLy.exe Startdate: 01/03/2022 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 6 75wDmbgzLy.exe 3 2->6         started        process3 signatures4 50 Overwrites code with function prologues 6->50 9 rundll32.exe 13 6->9         started        14 rundll32.exe 6->14         started        16 WerFault.exe 16 6->16         started        18 8 other processes 6->18 process5 dnsIp6 32 23.106.122.14, 443, 49769, 49789 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Singapore 9->32 20 C:\Users\user\AppData\...\Tedyyqtuoqfyeed.tmp, DOS 9->20 dropped 52 Delayed program exit found 9->52 34 201.42.87.46, 443, 49818 TELEFONICABRASILSABR Brazil 14->34 36 192.236.161.4, 443, 49791, 49802 HOSTWINDSUS United States 14->36 40 4 other IPs or domains 14->40 54 System process connects to network (likely due to code injection or exploit) 14->54 38 192.168.11.1 unknown unknown 16->38 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->22 dropped 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->28 dropped 30 5 other malicious files 18->30 dropped file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-03-01 19:46:17 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
22 of 27 (81.48%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220301-ygys8achek/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Blocklisted process makes network request
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
a3534aa97c9a4aec7bcc3988e7d09d9dae255ec515de4be45e2a8c91a9a36c33
MD5 hash:
d52108dd93c61ea65e1e75c67375bbf6
SHA1 hash:
27af0b6a75f69afc4f6ab6a617a1bed8acae03ec
Link:
https://www.unpac.me/results/5515e647-cd28-4858-ab84-331d0c1378c3/
SH256 hash:
d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645
MD5 hash:
186ec54b52e2ca24990f4e6cb5f4c86d
SHA1 hash:
f897f0ece493b818397fc8f0c6f9e6201982f9ce
Link:
https://www.unpac.me/results/5515e647-cd28-4858-ab84-331d0c1378c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d884436a17d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

Executable exe d884436a17d35656ddeae1a06103d0b787d9f22851fedba571293898f6fd3645

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2069366/
Cape
Cape
https://www.capesandbox.com/analysis/245987/

Comments


Avatar
zbet commented on 2022-03-01 19:45:10 UTC

url : hxxp://45.153.241.104/kde.exe